Cyber Activities Added to the OFAC Target List – How do you ensure you are compliant?

In December of 2015 the Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) issued regulations implementing the President’s April 1, 2015 Executive Order (“EO”), “Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities.”  The buzz around the water cooler is that many business are worried about the implications of these regulations on their everyday business and cyber security activities like network defense and the use of encryption.  Fear not, OFAC is not coming after your IT department.  These regulations are not meant to deter companies or individuals from protecting themselves or their data, but to identify, isolate, and cripple foreign cyber terrorists and those that pose a threat to national security, foreign policy, or the health of the U.S. economy.

The EO and corresponding regulations permit OFAC to designate and block entities, both individuals and companies, that engage in certain cyber-enabled activities outside of the United States. U.S. Persons (individuals and entities) are prohibited from transacting with any person so designated.  Designated persons that come within U.S. jurisdiction can be “blocked” or frozen, meaning their property interests and assets within the U.S. are frozen as well as their ability to enter the U.S. and transact with U.S. persons.  These prohibitions and consequences are fairly standard in the OFAC world.  There are also a few general licenses allowing for certain services, such as legal and financial service charges on blocked accounts, and emergency medical services. Note that these prohibitions have been in place for months now, and no specific  designations under the program have yet been made.  So it is unclear how aggressively OFAC will enforce these sanctions.

Foreign sanctionable activities under the EO and the new regulations include:

  • harming, or otherwise significantly compromising the provision of services by, a computer or network of computers that support one or more entities in a critical infrastructure sector;
  • significantly compromising the provision of services by one or more entities in a critical infrastructure sector;
  • causing a significant disruption to the availability of a computer or network of computers;
  • causing a significant misappropriation of funds or economic resources, trade secrets, personal identifiers, or financial information for commercial or competitive advantage or private financial gain;
  • through cyber cyber-enabled means, involvement in the misappropriation of trade secrets that are a significant threat to the national security, foreign policy, or economic health or financial stability of the United States;
  • providing support for or attempting to engage in any of the above activities; or
  • owning, controlling, or acting on behalf of any entity that has committed any of the above activities.

OFAC plans to supplement the current regulations in the future.  This could theoretically provide definitions, interpretive guidance and additional license opportunities.  However, as of now, there are no guarantees what OFAC will decide to include in the regulations.

OFAC has noted it is not looking to target “the unwitting owners of compromised computers” and that the sanctions are not “designed to prevent or interfere with legitimate network defense or maintenance activities performed by computer security experts and companies as part of the normal course of business on their own systems, or systems they are otherwise authorized to manage.”  Michael Daniel, Special Assistant to the President and cybersecurity coordinator, echoed these sentiments when he stated, “We are focusing on those actors that pose a significant threat to the national security, the foreign policy or the economic health or security of the United States as a whole.”  He noted examples of sanctionable activities may include “…damaging attacks on our critical infrastructure; disrupting computer networks through a widespread distributed denial of service attack; widespread or significant thefts of personal information, financial data, trade secrets or personal property; and the knowing use or receipt of those stolen goods.”

So, how should businesses respond to these prohibitions?  Designations will  happen at any time and without notice. The designated individuals and entities will be listed on OFAC’s Specially Designated Nationals (“SDN”) List.  Thus, the best defense is to be proactive.  U.S. entities  should conduct appropriate due diligence on all parties. And, as always, make sure you check all  the restricted parties lists and keep records of these diligence activities.